You are currently readingAre your RSS feeds a security risk?

We’ve all done it; you’ve had a long day at work and you write a quick blog entry when you get home, late at night, forget to spell-check it and release it into the masses blissfully unaware. The next morning you read the drivel you posted and edit it for grammar and spelling mistakes, hoping that nobody noticed.

Only, they did.

It showed up in their feed-readers as soon as you hit publish, archived for all of eternity should they so wish. In this instance, it’s only a few spelling mistakes and typos, it’s not a huge deal and in all honesty, only the particularly finicky would have noticed anyway.

But what about when it’s something a little more controversial?

Picture this if you will, you’ve just had a majorly bad dealing with a supplier/client/colleague and in the heat of the moment you log onto your blog and write a lengthy rant declaring their incompetence. 5 minutes later realisation hits home and you delete the entry immediately. Phew. Or not. What you forget is that a (possibly large) number of people may already have received that post in their feed-readers, and your seemingly final act of deletion is rendered completely useless should they hesitate to refresh their feeds – or worse – save the article on purpose.

That’s not the only scenario of doom and despair. Say for instance, your company has a blog, and you have a hidden category that only employees can post to and view. This category contains some potentially dynamite material in the wrong hands and oops – you just forgot to choose the category and published it to the default, sending it out to all of those lovely feed-readers. There’s no undo, you could take your entire web presence offline and those feed-readers will still have a copy of your private moments.

Then there’s the personal blog, you’ve got a few categories for personal (let’s say, emotional) entries, maybe you’ve got one for ideas for the next big invention/startup, and another for your terrible love poetry. You mark these entries as private and think nothing of writing them once you get into the swing of things, occasionally you’ll forget to mark it as private displaying it on your front page for all of 10 seconds until you realise, but that’s okay, you fixed it.

Wrong.

RSS feeds could potentially ruin your business, livelihood, relationships and reputation if not given the appropriate consideration. Don’t get me wrong, I love them and use them excessively, but let us not for a second consider feeds to be harmless, useful little channels through which we spread our news, let us take them as seriously as we would take committing something to print in a very large publication, because effectively, you are, and the internet has a far bigger reach than any printed publication.

So, what can we do about it?

Obviously, we can all take a lot more precautions. Read, re-read and re-read. Do an all systems check before launching, and generally exercise a lot more caution, but personally I think that we as web developers can do more.

Let’s look into flagging entries for changes and the ability to disable local caching in feed-readers. Let’s put a delay on the RSS publication say 15 minutes after the article itself is published. Let’s develop the RSS spec to take into account these measures and let’s work together to find more solutions to a problem that we have barely acknowledged even exists yet. Because if we don’t, we may live to regret it, and we all know that prevention is far, far better than the cure.